CVE-2026-45013: CWE-20: Improper Input Validation in apostrophecms apostrophe
ApostropheCMS versions up to and including 4.29.0 have an improper input validation vulnerability in the password reset flow. The reset URL is constructed using the HTTP Host header without proper validation when apos.baseUrl is not configured. An unauthenticated attacker can exploit this by sending a crafted reset request that causes the victim to receive a reset link pointing to the attacker's domain. Clicking the link exposes the valid reset token to the attacker, enabling full account takeover. No patch is currently available for this vulnerability.
AI Analysis
Technical Summary
CVE-2026-45013 describes an improper input validation vulnerability (CWE-20) in ApostropheCMS (product apostrophe) versions <=4.29.0. The password reset flow constructs the reset URL using req.hostname, which is derived from the HTTP Host header controlled by the attacker if apos.baseUrl is not explicitly set. This allows an unauthenticated attacker who knows a victim's email to send a reset request that results in the victim receiving a reset link pointing to the attacker's domain. When the victim clicks the link, the attacker obtains the valid reset token, enabling full account takeover. There is no known patch or official fix available at the time of publication.
Potential Impact
The vulnerability allows an unauthenticated attacker to perform account takeover by tricking victims into clicking a password reset link that points to a malicious domain controlled by the attacker. This leads to compromise of the victim's account without requiring authentication. The CVSS 3.1 score is 8.1 (high), reflecting the network attack vector, low attack complexity, no privileges required, user interaction required, and high confidentiality and integrity impact.
Mitigation Recommendations
As of the time of this report, no official patch or fix is available. Users should explicitly configure apos.baseUrl to a trusted value to prevent the application from using the attacker-controlled Host header when constructing reset URLs. Monitor vendor advisories for updates and patches addressing this issue.
CVE-2026-45013: CWE-20: Improper Input Validation in apostrophecms apostrophe
Description
ApostropheCMS versions up to and including 4.29.0 have an improper input validation vulnerability in the password reset flow. The reset URL is constructed using the HTTP Host header without proper validation when apos.baseUrl is not configured. An unauthenticated attacker can exploit this by sending a crafted reset request that causes the victim to receive a reset link pointing to the attacker's domain. Clicking the link exposes the valid reset token to the attacker, enabling full account takeover. No patch is currently available for this vulnerability.
CVSS v3.1
Score 8.1high
Affected software
pkg:npm/apostrophecms/apostropheRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-45013 describes an improper input validation vulnerability (CWE-20) in ApostropheCMS (product apostrophe) versions <=4.29.0. The password reset flow constructs the reset URL using req.hostname, which is derived from the HTTP Host header controlled by the attacker if apos.baseUrl is not explicitly set. This allows an unauthenticated attacker who knows a victim's email to send a reset request that results in the victim receiving a reset link pointing to the attacker's domain. When the victim clicks the link, the attacker obtains the valid reset token, enabling full account takeover. There is no known patch or official fix available at the time of publication.
Potential Impact
The vulnerability allows an unauthenticated attacker to perform account takeover by tricking victims into clicking a password reset link that points to a malicious domain controlled by the attacker. This leads to compromise of the victim's account without requiring authentication. The CVSS 3.1 score is 8.1 (high), reflecting the network attack vector, low attack complexity, no privileges required, user interaction required, and high confidentiality and integrity impact.
Mitigation Recommendations
As of the time of this report, no official patch or fix is available. Users should explicitly configure apos.baseUrl to a trusted value to prevent the application from using the attacker-controlled Host header when constructing reset URLs. Monitor vendor advisories for updates and patches addressing this issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-08T16:58:28.895Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2c7589e617e2d834c30b6c
Added to database: 6/12/2026, 9:09:29 PM
Last enriched: 6/12/2026, 9:24:30 PM
Last updated: 6/13/2026, 1:19:51 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.